Palo Alto Networks acquires supply chain security provider, aims to harden application security

Palo Alto Networks (PAN) announced Thursday that it will acquire application security and software supply chain security provider Cider Security for approximately $195 million in cash. This acquisition is a good move toward enabling security to scale with modern software development, according to Melinda Marks, a senior analyst at Enterprise Strategy Group. 

PAN said the plan is to have Cider support its Prisma Cloud platform to secure the entire application security lifecycle from code to cloud. 

“For cloud-native development, you have developers empowered to provision and deploy applications to the cloud to make them available for customers, partners, and employees, and while it increases productivity, it’s a challenge for security teams to keep up with the speed and protect the applications in these dynamic, exposed environments,’’ Marks told VentureBeat in an email interview. 

Cider Security is a good example of a company building observability into developer workflows, such as CI/CD pipelines, to better incorporate security, she said. “What PAN is doing with Prisma by tying all of these solutions together is to enable security to become more embedded in development — shifting some work left to developers — while giving security teams visibility and control for consistency across development teams.” 

According to ESG’s newly-released report, Walking the Line: GitOps and Shift Left Security, 68% of respondents said it’s a high priority to adopt developer-focused security solutions, 31% said it’s important but not a high priority, and only 1% said it’s not a priority.

Securing the software supply chain

Today’s software engineering ecosystem is more diverse, moves at greater speed, and is more dynamic by nature. This has introduced a wide array of new cybersecurity challenges and gaps, making the software supply chain one of the biggest emerging attack vectors for cyberattacks, PAN said in a press release announcing the acquisition. 

“The average CI/CD pipeline can have hundreds of developer tools connected to it, which poses an enormous security risk,’’ the company said. “While much attention has been put on where code comes from, very little has been placed on the applications and software used in the development pipeline.”

“Any organization using public cloud has an application infrastructure with hundreds of tools and applications that can access their code and yet, they have limited visibility to their configuration or if they are secured,” said Lee Klarich, chief product officer for PAN, in a statement. “Cider has made it possible to connect into infrastructure, analyze the tools, and identify the risks, as well as how to remediate them. We are acquiring Cider for their innovation that will help enable Prisma Cloud to provide this capability that anyone doing cloud operations has to have.”

>>Don’t miss our new special issue: Zero trust: The new security paradigm.<<

Cider’s AppSec platform was designed to allow engineering to continue to move fast, without making compromises on security, said Guy Flechter, CEO at Cider Security, in a statement. “By scanning and securing the CI/CD pipeline, we can help identify where there may be vulnerabilities in your code.”

New products designed for the cloud-native stack

Security teams have struggled because they need to implement security processes and technology that don’t disrupt modern application development processes, Marks said. “We see newer security vendors with innovative products built for the cloud-native stack and modern development processes with CI/CD.’’ 

Over the past five years, PAN has made several strategic investments to broaden its portfolio in order to support its customers’ cloud adoption. In 2018, the company acquired Evident.io for cloud infrastructure security, then RedLock for cloud threat defense. Then, in 2019, the company “had the foresight to announce their Prisma cloud strategy as an effort to build out a platform to simplify access, data protection and application,’’ Marks said. 

PAN acquired more companies and has gradually incorporated their technologies into its platform. These include Twistlock for container security and Bridgecrew for developer-focused security with automated infrastructure as code (IaC) and supply chain security, according to Marks.  

Other vendors in this space include Check Point, TrendMicro, Crowdstrike and Lacework — which has started to make acquisitions with a similar goal. Marks noted that there are also newer startups such as Orca and Wiz. 

PAN said the proposed acquisition is expected to close during the second quarter of fiscal 2023.

Originally appeared on: TheSpuzz